by Juliana Snelling and Olga Rankin

Protecting private records from exposure has always been important, but the advancement of digital technology has exacerbated the need to guard against the misuse of personal information, or data.

Perils include identity theft, phishing scams, cybercriminal activities, fraudulent credit card and banking charges, and any number of other threats. In response, Bermuda has adopted data protection legislation, the Personal Information Protection Act 2016. The majority of PIPA has not yet come into force, but employers are advised to prepare to comply in anticipation of its expected commencement in the near future.

PIPA is particularly important for employers because everyday business operations necessitate the processing of personal information relating to employees, clients and professional contacts for purposes that include recruitment, administration, AML/ATF compliance, background checks, government surveys, health insurance, sick leave monitoring, billing and payroll, etc.

PIPA is designed to control the way businesses collect, store and process personal information. “Personal information” relates to any detail identifying a person by reference to certain attributes, such as name and address, date of birth and other identifiers. PIPA offers stronger protections for “sensitive personal information” covering, for example, origin, race, gender, sexual orientation, family status, physical or mental disability, religious beliefs, political opinions, trade union membership, biometrics or genetics, etc.

Such information may only be obtained if the nature of the employment justifies it but may never be used without the person’s consent or to discriminate in any way.

Employers must use personal data in a lawful and fair manner and put in place security safeguards to protect it against loss, unauthorised access, disclosure or destruction. They must ensure that it is accurate and current and not kept for longer than is necessary. They must also appoint their own Privacy Officer to ensure compliance. PIPA itself will be overseen by the new office of the Privacy Commissioner who will have power, inter alia, to conduct investigations and issue warnings.

Employers must also publish a “privacy notice” containing the organisation’s data practices and policies, including the purpose for which the data was collected and the name of the Privacy Officer. The criminal penalty for non-compliance is severe – a fine of up to $25,000 or two years’ imprisonment, or both, while the penalty for an organisation is a fine of up to $250,000.

Where a Bermuda entity transfers personal data overseas for a third party’s use, the Bermuda entity will remain responsible for compliance with PIPA. This is of vital importance for multinational employers who routinely exchange personal data about their staff across national borders.

The implementation of PIPA will allow Bermuda to apply for EU “adequacy” status, which allows data to flow freely to and from a non-EU country without the latter having to implement costly safeguards. Offshore jurisdictions already enjoying this status include Jersey and the Isle of Man.

More fundamentally, the commencement of PIPA will help bring Bermuda closer into line with international data protection standards, thereby enhancing our island’s reputation as a place that will not tolerate the abuse or misuse of data concerning its people.

Juliana Snelling is director of Canterbury Law Ltd and her colleague Olga Rankin is an associate attorney.

This article was originally featured in the TOP TEN 2019 edition of the RG Business Magazine.

The post Follow the PIPA appeared first on RG Magazines.

Operating in Bermuda, an international financial centre, forces business people to remain abreast of the constantly changing landscape of global regulations. These regulations, almost invariably, are condensed into acronyms, drowning us in a sea of alphabet soup: AML…KYC…ATF…FATCA….BEPS…CFATF…CRS…and the list goes on. Of course, who could ever forget the most dreaded acronym in recent memory that consumed extensive resources and time: Y2K?

Two new acronyms entered our regulatory lexicon in the past two years: GDPR and PIPA. These regulations both address the need to protect the privacy of individuals in the age of the internet and the constant flow of digital information.

The General Data Protection Regulation (GDPR ) was adopted by the European Union (EU) and came into force on May 25, 2018. The GDPR protects EU citizens by giving individuals more control over how companies use their personal data, usually referred to as “PII” or Personally Identifiable Information.

How many readers started receiving interesting emails from online companies disclosing their privacy policies in April and May 2018? How many have been suddenly forced to review and acknowledge privacy policies in pop-up windows before being able to proceed with normal browsing? These actions by companies were directly related to GDPR and the potential risk of significant fines for noncompliance: the greater of 20,000,000 Euros or 4 percent of worldwide revenue.

A look at Bermuda’s PIPA

Bermuda created our own Personal Information Protection Act (PIPA) of 2016 to establish local legislation and regulations, essentially to meet EU data privacy standards. PIPA received Royal Assent on July 27, 2016 and is expected to go into force once an independent Privacy Commissioner is appointed to ensure the aims of PIPA are being met and oversee compliance. Once the Privacy Commissioner is appointed it is expected that there will be a period of consultation with industry in advance of final implementation or any enforcement action.

Why are these regulations so important? Globally recognized companies have been hacked leaving millions of records of PII compromised including Equifax (146 million records) Under Armour (150 million) and Yahoo! (three billion records). While these numbers may seem high on initial glance, we need only reflect on our daily activity and how we communicate with each other. We are constantly on devices connected to the internet, generating and sharing information, leaving a digital footprint. This graphic shows the staggering amount of data that is generated each minute on the internet.

In this day and age, every organization needs to understand the information that drives the components of its business model; the organization’s information lifecycle.

This lifecycle starts with the creation and/or acquisition of information. Organisations must understand what data is being collected and created, who it is from, how it is obtained, and through what channels? Next, the organization needs to understand where data is stored – both within and outside the company, and in which systems, including paper-based filing systems?

The organization then needs to develop a complete picture of how the data is being used, what it is being used for, and who is using it? Data is frequently in motion or transmission, being shared – inside and outside the company, sometimes across multiple jurisdictions. Last, but certainly not least, the organization needs to decide on options for archiving and ultimately disposing of data. How is data retained – both by the company and by third parties, for how long, and how is it destroyed?

Policies, procedures, and controls provide the framework for effectively implementing the elements of an organization’s information lifecycle. Policies are created to meet the organization’s legal and regulatory obligations. Procedures describe step-by-step processes that enable the firm to carry out workflows in a manner that is consistent with the policies. Controls are designed and tested to provide evidence and comfort to management and the board of directors that the policies are, in fact, being followed in a consistent manner.

 Limit, protect and respect!

There are three principles to apply when dealing with personal data: limit, protect and respect.

Limit the personal data you collect to include only what you need to perform services. Be diligent and judicious about what you collect and make sure you only use that information for the designated business purpose.

Protect the data that you collect through effective procedures and controls. Access should be restricted to only those who need the information. Flexible and remote working on laptops, tablets, phones, and reading printed materials on airplanes or in transit create potential exposure of sensitive information.

Respect the rights of the individuals whose personal data you collect, store and share. GDPR requires transparency, the ability for individuals to opt in or not, and providing individuals the right to be forgotten.

Board governance

Ultimately, the board of directors and executive management of each organization must understand and embrace the dynamics of privacy in the age of GDPR and PIPA. Data privacy is a critical element of risk that must be incorporated in the Enterprise Risk Management framework for every organization.

Oversight of information technology and digital assets is a growing focus for boards and with the pressures of GDPR expectations for director performance are increasing. According to PwC’s 2018 Annual Corporate Directors Survey, more than four out of five directors (83 percent) say their board is very or moderately involved in monitoring the status of major IT projects. Close to 75 percent say the same about the company’s digital strategy.

With the major security breaches involving data privacy, and new governmental regulations — many more directors also say they are engaged with overseeing or understanding big data. The percentage of directors saying their boards are at least moderately involved jumped to 65 percent from 51 percent in 2016. Directors also report being much more involved in overseeing how their company leverages and monitors social media. Both of these areas have shown substantial increases since 2016.

The principles for handling personal data in a prudent manner provide guidance to organizations. The board and executive team must give clear direction and set the tone regarding the importance of data privacy and establish an appropriate operational framework, including appointing a data privacy officer (DPO). Effective policies and procedures, tested on a consistent basis through well-designed controls, can ensure that the organization is meeting global standards.

The post Some Perspective on Bermuda’s PIPA – Why Does it Matter? appeared first on RG Magazines.